龙空技术网

centos7搭建DNS服务

散文随风想 1117

前言:

此刻朋友们对“centos7无法解析域名”都比较关注,兄弟们都想要剖析一些“centos7无法解析域名”的相关文章。那么小编在网上汇集了一些有关“centos7无法解析域名””的相关资讯,希望兄弟们能喜欢,各位老铁们快快来了解一下吧!

DNS服务类型

主机记录

记录类型

记录值

ns1

A

192.168.1.1

ns2

A

192.168.1.2

www

A

192.168.1.100

bbs

CNAME

www

ftp

A

192.168.1.110

mail

MX 10

192.168.1.120

一、服务配置

安装与配置简洁示例,详细配置可参考下面章节:

# 1. 安装DNS服务[root@vm ~]# yum -y install bind bind-utils# 2. 启动DNS服务[root@vm ~]# systemctl enable named --now[root@vm ~]# systemctl status named[root@vm ~]# systemctl stop named[root@vm ~]# systemctl start named[root@vm ~]# systemctl restart named# 3. 修改 NAME_SERVER[root@vm ~]# vi /etc/resolv.confnameserver 127.0.0.1# 4. 修改named.conf配置文件[root@vm ~]# cp /etc/named.conf{,_bak}[root@vm ~]# sed -i -e "s/listen-on port.*/listen-on port 53 { any; };/" /etc/named.conf[root@vm ~]# sed -i -e "s/allow-query.*/allow-query { any; };/" /etc/named.conf[root@vm ~]# sed -i '/recursion yes;/a \        forward first; \        forwarders { 114.114.114.114; 8.8.8.8; };' /etc/named.conf[root@vm ~]# sed -i -e "s/dnssec-enable.*/dnssec-enable no;/" /etc/named.conf[root@vm ~]# sed -i -e "s/dnssec-validation.*/dnssec-validation no;/" /etc/named.conf # 5. 修改 zones 文件 [root@vm ~]# cat >> /etc/named.rfc1912.zones << EOFzone "crc.testing" IN {        type master;        file "crc.testing.zone";        allow-update { none; };};zone "apps-crc.testing" IN {        type master;        file "apps-crc.testing.zone";        allow-update { none; };};EOF [root@vm ~]# cat > /var/named/crc.testing.zone << EOF\$TTL 1D@       IN SOA  crc.testing. admin.crc.testing. (                                            0       ; serial                                        1D      ; refresh                                        1H      ; retry                                         1W      ; expire                                        3H )    ; minimum        NS      ns.crc.testing.          *       IN A    ${NAME_SERVER}EOF [root@vm ~]# cat > /var/named/apps-crc.testing.zone << EOF\$TTL 1D@       IN SOA  apps-crc.testing. admin.apps-crc.testing. (                                            0       ; serial                                        1D      ; refresh                                        1H      ; retry                                         1W      ; expire                                        3H )    ; minimum        NS      ns.apps-crc.testing.          *       IN A    ${NAME_SERVER}EOF# 6. 重启DNS服务[root@vm ~]# systemctl restart named

快速示例二(use) :

# 临时关闭SELinux与防火墙[root@localhost ~]# setenforce 0[root@localhost ~]# systemctl stop firewalld # 永久关闭[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config[root@localhost ~]# systemctl disable firewalld #查看selinux, firewalld 状态[root@localhost ~]# getenforcePermissive[root@localhost ~]# systemctl status firewalld # 1. 安装DNS服务[root@vm ~]# yum -y install bind bind-utils # 2. 启动DNS服务[root@vm ~]# systemctl enable named --now[root@vm ~]# systemctl status named[root@vm ~]# systemctl stop named[root@vm ~]# systemctl start named[root@vm ~]# systemctl restart named # 3. 修改 NAME_SERVER 和 ifcfg 文件[root@vm ~]# vi /etc/resolv.confnameserver 127.0.0.1 [root@vm ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens3# 添加或修改如下内容(192.168.0.134为本机DNS所在机器ip)DNS1=192.168.0.134# 重启网络服务[root@vm ~]# systemctl restart network # 4. 修改named.conf配置文件[root@vm ~]# cp /etc/named.conf{,_bak}# 说明:# listen-on port 53 {192.168.80.150;}; 设置为本地的IP地址即可。# listen-on port 53 { any; }; 。设置为所有IP地址均可访问# allow-query {any;}  设置为所有人都可以访问。[root@Centos7-1 ~]# vi /etc/named.conf// named.conf//// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS// server as a caching only nameserver (as a localhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ for example named configuration files.//// See the BIND Administrator Reference Manual (ARM) for details about the// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions {        # 设置为所有IP地址均可访问        listen-on port 53 { any; };        listen-on-v6 port 53 { ::1; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        recursing-file  "/var/named/data/named.recursing";        secroots-file   "/var/named/data/named.secroots";        # 设置为所有人都可以访问。        allow-query { any; };        /*         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.         - If you are building a RECURSIVE (caching) DNS server, you need to enable           recursion.         - If your recursive DNS server has a public IP address, you MUST enable access           control to limit queries to your legitimate users. Failing to do so will           cause your server to become part of large scale DNS amplification           attacks. Implementing BCP38 within your network would greatly           reduce such attack surface        */        # 配置 recursion, forward, forwarders   字段        recursion yes;        forward first;        forwarders { 114.114.114.114; 8.8.8.8; };        # 配置 dnssec-enable, dnssec-validation 字段        dnssec-enable no;        dnssec-validation no;        /* Path to ISC DLV key */        bindkeys-file "/etc/named.root.key";        managed-keys-directory "/var/named/dynamic";        pid-file "/run/named/named.pid";        session-keyfile "/run/named/session.key";};logging {        channel default_debug {                file "data/named.run";                severity dynamic;        };};zone "." IN {        type hint;        file "named.ca";};# 关联 zones 文件include "/etc/named.rfc1912.zones";include "/etc/named.root.key"; # 5. 修改 zones 文件 及 解析文件 5.1 编辑 zone 文件[root@vm ~]# cp /etc/named.rfc1912.zones{,_bak}[root@vm ~]# cat >> /etc/named.rfc1912.zones << EOFzone "my-ocp-cluster.com" IN {        type master;        file "openshift.hosts";        allow-update { none; };};zone "134.0.11.10.in-addr.arpa" IN {        type master;        file "openshift.hosts.arpa";        allow-update { none; };};EOF 5.2 编辑正向解析文件 [root@vm ~]# vi /var/named/openshift.hosts$TTL 1D@       IN      SOA     @       root. (                        2019070700      ; serial                        3H              ; refresh                        30M             ; retry                        2W              ; expiry                        1W )    	; minimum @       NS              ns1.my-ocp-cluster.com. ns1                     IN      A       192.168.0.134 helper  IN      A       192.168.0.134 api                     IN      A       192.168.0.134api-int         IN      A       192.168.0.134*.apps          IN      A       192.168.0.134bootstrap       IN      A       192.168.0.134master0         IN      A       192.168.0.120master1         IN      A       192.168.0.122master2         IN      A       192.168.0.123worker0         IN      A       192.168.0.124worker1         IN      A       192.168.0.125 # 5.3 编辑反向解析文件[root@vm ~]# vi /var/named/openshift.hosts.arpa$TTL 1D@       IN      SOA     @       root. (                                        2019070700      ; serial                                        3H              ; refresh                                        30M             ; retry                                        2W              ; expiry                                        1W )            ; minimum@       IN      NS      ns1.my-ocp-cluster.com. 10      IN      PTR     api.my-ocp-cluster.com11      IN      PTR     api-int.my-ocp-cluster.com12      IN      PTR     bootstrap.my-ocp-cluster.com100     IN      PTR     master0.my-ocp-cluster.com101     IN      PTR     master1.my-ocp-cluster.com102     IN      PTR     master2.my-ocp-cluster.com103     IN      PTR     worker0.my-ocp-cluster.com104     IN      PTR     worker1.my-ocp-cluster.com # 添加完文件后修改文件属性[root@vm ~]# chown :named /var/named/openshift* # 6. 重启DNS服务[root@vm ~]# systemctl restart named# 检测配置文件[root@vm ~]# named-checkconf -z /etc/named.rfc1912.zones# 检测正向解析文件[root@vm ~]# named-checkzone my-ocp-cluster.com /var/named/openshift.hosts# 检测反向解析文件[root@vm ~]# named-checkzone 134.0.168.192.in-addr.arpa /var/named/openshift.hosts.arpa # 7. 分别配置集群其它节点DNS访问地址[root@vm ~]# vi /etc/resolv.conf[root@openshift-base ~]# cat /etc/resolv.conf# Generated by NetworkManagernameserver 192.168.0.133[root@vm ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens3# 添加或修改如下内容(192.168.0.134为本机DNS所在机器ip)DNS1=192.168.0.134# 重启网络服务[root@vm ~]# systemctl restart network # 8. 正向检测解析# 其它按此方法域名依次检测即可[root@centos7 ~]# nslookup master0.my-ocp-cluster.comServer:         192.168.0.134Address:        192.168.0.134#53 Name:   master0.my-ocp-cluster.comAddress: 192.168.0.120 # 9. 反向检测解析[root@openshift-base ocp]# nslookup 192.168.0.134 120.0.11.10.in-addr.arpa name = master0.my-ocp-cluster.com.

1.1 关闭SELinux与防火墙(use)

[root@localhost ~]# setenforce 0[root@localhost ~]# systemctl stop firewalld# 永久关闭[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config[root@localhost ~]# systemctl disable firewalld

1.2 配置网卡

配置网卡,使其可以访问本地DNS, 详情可参考:Centos7修改DNS Server

windows修改DNS配置,可参考:win10修改DNS配置

[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-eno16777736BOOTPROTO=staticONBOOT=yesIPADDR=192.168.1.1NETMASK=255.255.255.0DNS1=114.114.114.114DNS2=127.0.0.1 # 访问本地DNS服务

1.3 yum 安装DNS服务

安装bind包, vim包:

[root@localhost ~]# yum install -y bind* vim*# 查看bind是否完成[root@localhost yum.repos.d]# rpm -aq |grep bind# 状态管理systemctl enable named --nowsystemctl status namedsystemctl stop namedsystemctl start namedsystemctl restart named# 修改本机 nameserver [root@localhost yum.repos.d]# vi /etc/resolv.conf# Generated by NetworkManagernameserver 127.0.0.1

/etc/named.conf文件说明:

  ......                                     //略options{     listen-on port 53 { 127.0.0.1;);    // 指定BIND侦听的DNS查询请求的本  // 机即P地址及端口listen-on-v6 port 53{::1;};         // 限于 IPv6directory "/var/named";  // 指定区域配置文件所在的路径dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query { localhost;};  // 指定接收DNS查询请求的客户端recursion yes;dnssec-enable yes;dnssec-validation yes;      // 改为no可以忽略SELinux影响dnssec-lookaside auto;.....};// 以下用于指定BIND服务的日志参数logging {         channel default debug {         file "data/named.run";         severity dynamic;   };};zone "."  IN  {  // 用于指定根服务器的配置信息,一般不能改动type hint;file "named.ca";};include "/etc/named.zones"; // 指定主配置文件,一定根据实际修改include "/etc/named.root.key";

/etc/named.rfc1912.zones文件说明:

// named.rfc1912.zones://// Provided by Red Hat caching-nameserver package//// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and  (c)2007 R W Franks//// See /usr/share/doc/bind*/sample/ for example named configuration files.//zone "localhost.localdomain" IN {        type master;        file "named.localhost";        allow-update { none; };};zone "localhost" IN {        type master;        file "named.localhost";        allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {        type master;        file "named.loopback";        allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {        type master;        file "named.loopback";        allow-update { none; };};zone "0.in-addr.arpa" IN {        type master;        file "named.empty";        allow-update { none; };};zone "ocp4.my-ocp-cluster.com" IN { // 正向解析,这里定义要访问的基域,例如 正向解析要访问*.ssx.com, 那么这里就要写成ssx.com        type master;        file "openshift.hosts";        allow-update { none; };};zone "134.0.11.10.in-addr.arpa" IN {  // 这里定义要访问的反向解析地址        type master;        file "openshift.hosts.arpa";        allow-update { none; };};

查看DNS服务器IP地址信息:

[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noDEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33UUID=9f92031e-cb20-4cde-b796-6935a082ba86DEVICE=ens33# 检查项BOOTPROTO=staticONBOOT=yesIPADDR=192.168.10.1NETMASK=255.255.255.0GATEWAY=192.168.10.254DNS1=192.168.10.1

查看并检查配置的网络

[root@localhost ~]# ip add

1.4 配置示例1--use

1.4.1 编辑dns配置文件

[root@Centos7-1 ~]# cp /etc/named.conf /etc/named.conf-bak# or[root@Centos7-1 ~]# cp /etc/named.conf{,_bak}

编辑 /etc/named.conf 文件:

# listen-on port 53 {192.168.80.150;}; 设置为本地的IP地址即可。# listen-on port 53 { any; }; 。设置为所有IP地址均可访问# allow-query {any;}  设置为所有人都可以访问。[root@Centos7-1 ~]# vi /etc/named.conf// named.conf//// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS// server as a caching only nameserver (as a localhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ for example named configuration files.//// See the BIND Administrator's Reference Manual (ARM) for details about the// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions {        # 设置为所有IP地址均可访问        listen-on port 53 { any; };        listen-on-v6 port 53 { ::1; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        recursing-file  "/var/named/data/named.recursing";        secroots-file   "/var/named/data/named.secroots";        # 设置为所有人都可以访问。        allow-query { any; };        /*         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.         - If you are building a RECURSIVE (caching) DNS server, you need to enable           recursion.         - If your recursive DNS server has a public IP address, you MUST enable access           control to limit queries to your legitimate users. Failing to do so will           cause your server to become part of large scale DNS amplification           attacks. Implementing BCP38 within your network would greatly           reduce such attack surface        */        # 配置 recursion, forward, forwarders   字段        recursion yes;        forward first;        forwarders { 114.114.114.114; 8.8.8.8; };        # 配置 dnssec-enable, dnssec-validation 字段        dnssec-enable no;        dnssec-validation no;        /* Path to ISC DLV key */        bindkeys-file "/etc/named.root.key";        managed-keys-directory "/var/named/dynamic";        pid-file "/run/named/named.pid";        session-keyfile "/run/named/session.key";};logging {        channel default_debug {                file "data/named.run";                severity dynamic;        };};zone "." IN {        type hint;        file "named.ca";};# 关联 zones 文件include "/etc/named.rfc1912.zones";include "/etc/named.root.key";include "/etc/named.zones";

生成相应zones文件:

[root@Centos7-1 ~]#cp -p /etc/named.rfc1912.zones /etc/named.zones

编辑 named.zones文件:

[root@localhost ~]# vim /etc/named.zones# named.zones文件内容如下:zone "ssx.com" IN {     // 正向根域文件的定义	type master;    // 作为根域	file "ssx.com.hosts";  // 根域正向解析文件名};zone "10.168.192.in-addr.arpa" IN {   // 反向根域文件的定义, 这里的10.168.192是ip的前几段(前几段都可以)的倒写	type master;                // 作为根域	file "ssx.com.back";          // 根域反向解析文件名};

检查主配置文件:

[root@localhost ~]# named-checkconf

1.4.2 配置正向解析文件

先将/var/named/named.localhost 进行复制到/var/named/ssx.com.hosts中,目的是为了保存文件格式:

[root@localhost ~]#cp -p /var/named/named.localhost /var/named/ssx.com.hosts

编辑ssx.com.hosts文件:

[root@localhost ~]# vim /var/named/ssx.com.hosts$TTL 1D@       IN SOA  @ root.ssx.com. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum@               NS      dns.ssx.com.dns             IN A    10.11.0.133www             IN A    10.11.0.133smb             IN A    10.11.0.133ftp             IN A    10.11.0.133# =========================================== ##或者$TTL 1D@       IN SOA  @ root.ssx.com. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum@               NS      dns.ssx.com.*               IN A    10.11.0.133# 说明 $TTL    缓存生存周期 @ = zonename = ssx.com  当前域 IN     互联网 SOA    开始授权 NS     dns服务器 A      ipv4正向, 将域名转换为对应的IP地址 AAAA   ipv6 CNAME  别名 MX     邮件交互记录 5      数字代表优先级, 数字越小优先级越高 PTR    将IP地址转换为对应的域名   0       ; serial   --更新序列号,可以是 10 位以内的整数 1D      ; refresh  --刷新时间,重新下载地址数据的间隔 1H      ; retry    --重试延时,下载失败后的重试间隔 3D      ; expire   --失效时间,超过该时间仍无法下载则放弃 1D )    ; minimum  无效解析记录的生存周期 @代表zone的意思,现在@代表ssx.com.;  SOA代表资源记录的名称为起始授权记录; root.ssx.com.表示有问题找该管理员; 0代表序列号; 1D代表更新频率为1天; 1H代表失败重新尝试时间为1小时; 3W代表失效时间为1周; 3H代表缓存时间为3小时

@dns.ssx.com. 是你的主机名加上域名(注意细节com.的点点

然后添加主机记录

NS dns.ssx.com. 本机的域名 dns A 192.168.10.100 dns为ssx.com的域名前坠,对应着192.168.10.100 www A 192.168.10.101 www为ssx.com的域名前坠,对应着192.168.10.101 ftp A 192.168.10.103 ftp为ssx.com的域名前坠,对应着192.168.10.103

检查正向解析文件

[root@localhost ~]# named-checkzone ssx.com /var/named/ssx.com.hostszone ssx.com/IN: loaded serial 0OK

1.4.3 配置反向解析文件

先将正向解析文件拷贝至/var/named/ssx.com.back

[root@localhost ~]#cp -p /var/named/ssx.com.hosts /var/named/ssx.com.back

[root@localhost ~]# vi /var/named/ssx.com.back$TTL 1D@       IN SOA  @ root.ssx.com. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum@       IN      NS      dns.ssx.com.100     IN      PTR     dns.ssx.com101     IN      PTR          IN      PTR     smb.ssx.com103     IN      PTR         

检查反向解析文件:

[root@localhost ~]# named-checkzone 10.168.192.in-addr.arpa /var/named/ssx.com.backzone 10.168.192.in-addr.arpa/IN: loaded serial 0OK

1.4.4 启动named服务

[root@localhost ~]# systemctl start named [root@localhost ~]# systemctl restart named [root@localhost ~]# systemctl status namednamed.service - Berkeley Internet Name Domain (DNS)   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)   Active: active (running) since 日 2019-06-02 14:03:52 CST; 5s ago  Process: 4860 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)  Process: 3348 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)  Process: 4872 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)  Process: 4870 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 4874 (named)    Tasks: 4   CGroup: /system.slice/named.service           └─4874 /usr/sbin/named -u named -c /etc/named.conf6月 02 14:03:52  named[4874]: zone 10.168.192.in-addr.arpa/IN: loaded ... 06月 02 14:03:52  named[4874]: zone 1.0.0.127.in-addr.arpa/IN: loaded s... 06月 02 14:03:52  named[4874]: zone localhost.localdomain/IN: loaded se... 06月 02 14:03:52  named[4874]: zone ssx.com/IN: loaded serial 06月 02 14:03:52  named[4874]: zone localhost/IN: loaded serial 06月 02 14:03:52  named[4874]: all zones loaded6月 02 14:03:52  named[4874]: running6月 02 14:03:52  systemd[1]: Started Berkeley Internet Name Domain (DNS).6月 02 14:03:52  named[4874]: zone ssx.com/IN: sending notifies (serial 0)6月 02 14:03:52  named[4874]: zone 10.168.192.in-addr.arpa/IN: sending...0)Hint: Some lines were ellipsized, use -l to show in full.

1.4.5 检测正向解析

[root@centos7 ~]# nslookup smb.ssx.comServer: 127.0.0.1Address: 127.0.0.1#53 Name: smb.ssx.comAddress: 192.168.10.102

1.4.6 检测反向解析

[root@localhost ~]# nslookup 192.168.10.101Server: 192.168.10.200Address: 192.168.10.200#53101.10.168.192.in-addr.arpa name = .

1.4.7Linux客户机测试

Client1与DNS服务器的通信畅通

客户机操作:

[root@Client1 ~]# vim /etc/resolv.confnameserver 192.168.10.100search  ssx.com

Linux客户机关闭防火墙

[root@Client1 ~]#systemctl stop firewalld

客户机验证

[root@client1 ~]# nslookup > server          // 显示真实本机NDS server信息>      // 显示真实本机配置信息> 192.168.10.102  // 显示真实本机配置信息

1.5 配置示例2

1.5.1 编辑主配置文件(named.conf)

[root@localhost ~]# vim /etc/named.confoptions {    directory    "/var/named";    dump-file    "/var/named/data/cache_dump.db";    statistics-file    "/var/named/data/named_stats.txt";    memstatistics-file    "/var/named/data/named_mem_stats.txt";    recursion yes;    dnssec-enable no;    dnssec-validation no;    dnssec-lookaside auto;    bindkeys-file "/etc/named.iscdlv.key";    managed-keys-directory "/var/named/dynamic";    pid-file "/run/named/named.pid";    session-keyfile "/run/named/session.key";};

1.5.2 编辑区域配置文件(named.rfc1912.zones)

[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "1.168.192.in-addr.arpa" IN {        type master;        file "infanx.com.loopback";        allow-update { none; };};zone "infanx.com" IN {        type master;        file "infanx.com.empty";        allow-update { none; };};

1.5.3 编辑正反向配置文件

[root@localhost ~]# cd /var/named[root@localhost named]# cp -p named.localhost infanx.com.empty[root@localhost named]# cp -p named.loopback infanx.com.loopback

正向文件:

$TTL 1D@       IN SOA  ns1.infanx.com. rname.invalid. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum        IN      NS      ns1        IN      NS      ns2ns1     IN      A       192.168.1.1ns2     IN      A       192.168.1.2www     IN      A       192.168.1.100bbs     IN      CNAME   wwwftp     IN      A       192.168.1.110mail    IN      MX  10  192.168.1.120

反向文件:

$TTL 1D@       IN SOA  ns1.infanx.com. rname.invalid. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum        IN      NS      ns1.infanx.com.        IN      NS      ns2.infanx.com.1       IN      PTR     ns1.infanx.com.2       IN      PTR     ns2.infanx.com.100     IN      PTR          IN      PTR     bbs.infanx.com.110     IN      PTR          IN      PTR     mail.infanx.com.

1.6 配置示例3

1.6.1 编辑主配置文件(named.conf)

默认配置即可:

[root@localhost ~]# vim /etc/named.confoptions {        listen-on port 53 { any; };        listen-on-v6 port 53 { ::1; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        recursing-file  "/var/named/data/named.recursing";        secroots-file   "/var/named/data/named.secroots";        allow-query { any; };        /*         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.         - If you are building a RECURSIVE (caching) DNS server, you need to enable           recursion.         - If your recursive DNS server has a public IP address, you MUST enable access           control to limit queries to your legitimate users. Failing to do so will           cause your server to become part of large scale DNS amplification           attacks. Implementing BCP38 within your network would greatly           reduce such attack surface        */        recursion yes;        forward first;        forwarders { 114.114.114.114; 8.8.8.8; };        dnssec-enable no;        dnssec-validation no;        /* Path to ISC DLV key */        bindkeys-file "/etc/named.root.key";        managed-keys-directory "/var/named/dynamic";        pid-file "/run/named/named.pid";        session-keyfile "/run/named/session.key";};logging {        channel default_debug {                file "data/named.run";                severity dynamic;        };};

1.6.2 编辑区域配置文件(named.rfc1912.zones)

[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "api.crc.testing" IN {        type master;        file "api.crc.testing.zone";        allow-update { none; };};zone "console-openshift-console.apps-crc.testing" IN {        type master;        file "console-openshift-console.apps-crc.testing.zone";        allow-update { none; };};

1.6.3 编辑正反向配置文件

[root@localhost ~]# cd /var/named[root@localhost named]# cp -p named.localhost console-openshift-console.apps-crc.testing.zone[root@localhost named]# cp -p named.loopback api.crc.testing.zone

正向文件:

vi api.crc.testing.zone

$TTL 1D@       IN SOA  ns1.infanx.com. rname.invalid. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum        IN      NS      ns1        IN      NS      ns2ns1     IN      A       192.168.1.1ns2     IN      A       192.168.1.2www     IN      A       192.168.1.100bbs     IN      CNAME   wwwftp     IN      A       192.168.1.110mail    IN      MX  10  192.168.1.120

反向文件:

$TTL 1D@       IN SOA  ns1.infanx.com. rname.invalid. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum        IN      NS      ns1.infanx.com.        IN      NS      ns2.infanx.com.1       IN      PTR     ns1.infanx.com.2       IN      PTR     ns2.infanx.com.100     IN      PTR          IN      PTR     bbs.infanx.com.110     IN      PTR          IN      PTR     mail.infanx.com.

1.6.4 检查正向解析文件

[root@localhost ~]# named-checkzone ssx.com /var/named/ssx.com.hosts

1.7 重启DNS服务

[root@localhost named]# systemctl restart named

1.8 测试解析记录

按照1.5章节配置结果进行配置:

[root@localhost named]# nslookup> ns1.infanx.comServer:        192.168.1.1Address:    192.168.1.1#53Name:    ns1.infanx.comAddress: 192.168.1.1 > ns2.infanx.comServer:        192.168.1.1Address:    192.168.1.1#53Name:    ns2.infanx.comAddress: 192.168.1.2 > :        192.168.1.1Address:    192.168.1.1#53Name:    : 192.168.1.100 > bbs.infanx.comServer:        192.168.1.1Address:    192.168.1.1#53bbs.infanx.com    canonical name = :    : 192.168.1.100 > :        192.168.1.1Address:    192.168.1.1#53Name:    : 192.168.1.110 > mail.infanx.comServer:        192.168.1.1Address:    192.168.1.1#53Name:    : 192.168.1.120 > 192.168.1.1    Server:        192.168.100.100Address:    192.168.100.100#531.1.168.192.in-addr.arpa    name = ns1.infanx.com. > 192.168.1.2Server:        192.168.100.100Address:    192.168.100.100#532.1.168.192.in-addr.arpa    name = ns2.infanx.com. > 192.168.1.100Server:        192.168.100.100Address:    192.168.100.100#53100.1.168.192.in-addr.arpa    name = bbs.infanx.com.100.1.168.192.in-addr.arpa    name = . > 192.168.1.110Server:        192.168.100.100Address:    192.168.100.100#53110.1.168.192.in-addr.arpa    name = . > 192.168.1.120Server:        192.168.100.100Address:    192.168.100.100#53120.1.168.192.in-addr.arpa    name = mail.infanx.com.

其他示例参考1: 其他示例参考2:CentOS7.9搭建主DNS服务器 正反向解析

二、缓存DNS(转发器)(选做)

在第二台服务器上安装DNS服务 作为主DNS服务器的缓存DNS

2.1 服务配置

安装DNS服务

编辑主配置文件

[root@localhost ~]# vim /etc/named.confoptions {        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        recursion yes;        forwarders { 192.168.1.1; };            //指明转发器是谁        forward first;            //first:优先使用转发器,如果查询不到再使用本地DNS;            //only:仅使用转发器,如果查询不到则返回DNS客户端查询失败;        dnssec-enable no;        dnssec-validation no;        dnssec-lookaside auto;        bindkeys-file "/etc/named.iscdlv.key";        managed-keys-directory "/var/named/dynamic";        pid-file "/run/named/named.pid";        session-keyfile "/run/named/session.key";};

或者编辑区域配置文件 配置局部转发器 原理同上

[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "infanx.com" IN {        type forward;        forwarders { 192.168.1.1; };        forward first;};

重启DNS服务

进入slaves文件夹验证

[root@localhost ~]# cd /var/named/slaves[root@localhost slaves]# ll总用量 8-rw-r--r--. 1 named named 466 2月  17 00:00 infanx.com.empty-rw-r--r--. 1 named named 466 2月  17 00:00 infanx.com.loopback

三、辅助DNS(DNS集群)(选做)

3.1 题目要求

主DNS正反向文件中分别添加辅助DNS的 NS记录 A记录

3.2 服务配置

安装DNS服务 编辑区域配置文件

[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "1.168.192.in-addr.arpa" IN {        type slave;        file "slaves/infanx.com.loopback";        masters { 192.168.1.1; };};zone "infanx.com" IN {        type slave;        file "slaves/infanx.com.empty";        masters { 192.168.1.1; };};

zone “区域名称” IN {

  type slave; //区域类型为辅助

  file “slaves/文件名”; //文件必须保存在slaves下,其他目录没有权限

  masters { IP1; IP2; }; //指出主服务器是谁

};

在主DNS上修改区域文件时,必须将SOA记录的serial加1,因为slave是通过serial值来进行判断更新的。

四、子DNS(子域授权)(选做)

父DNS配置DNS基础的正向解析文件

父DNS进行子域授权

4.1 服务配置

子域服务器安装DNS

编辑父域正向文件添加NS记录指向子域主DNS

frp     IN      NS      ns1.frpns1.frp IN      A       192.168.1.200

子域编辑区域配置文件

[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "frp.infanx.com" IN {        type master;        file "frp.infanx.com.empty";        allow-update { none; };};

为子域创建正向文件并添加解析记录

[root@localhost ~]# cd /var/named[root@localhost named]# cp -p named.localhost frp.infanx.com.empty[root@localhost named]# vim frp.infanx.com.empty$TTL 1D@       IN SOA  ns1.frp.infanx.com. rname.invalid. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum        IN      NS      ns1ns1     IN      A       192.168.1.200nj      IN      A       192.168.1.201hz      IN      A       192.168.1.202sh      IN      A       192.168.1.203

重启服务并测试

[root@localhost named]# systemctl restart named[root@localhost named]# nslookup> ns1.frp.infanx.comServer:        192.168.1.1Address:    192.168.1.1#53Non-authoritative answer:Name:    ns1.frp.infanx.comAddress: 192.168.100.200 > nj.frp.infanx.comServer:        192.168.1.1Address:    192.168.1.1#53Non-authoritative answer:Name:    nj.frp.infanx.comAddress: 192.168.1.201 > hz.frp.infanx.com     Server:        192.168.1.1Address:    192.168.1.1#53Non-authoritative answer:Name:    hz.frp.infanx.comAddress: 192.168.1.202 > sh.frp.infanx.comServer:        192.168.1.1Address:    192.168.1.1#53Non-authoritative answer:Name:    sh.frp.infanx.comAddress: 192.168.1.203

标签: #centos7无法解析域名